When a request's path resolved to a directory on disk and lacked a trailing
slash character, we issue a 302 Found redirect to the request's path, plus the
missing trailing slash. However, some request paths are valid absolute URIs
(particularly protocol-neutral //example.com URIs), so this was an open redirect
vulnerability.

This problem is avoided by generating a URI from the actual location of a file
that we want to present.

There were also numerous potential bypasses of other security checks for
inferred index.html files and custom error pages; this commit closes these
holes at the same time by recursively running the checks if necessary.